p59342861
/
monkey
forked from p15670423/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Improved formatting and link styles in SecurityReport.js

This commit is contained in:
VakarisZ 2021-03-01 10:16:08 +02:00 committed by Mike Salvatore
parent 8eeed20f7e
commit e49b7b85cc
1 changed files with 123 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js
View File

@ -23,7 +23,6 @@ import {faExclamationTriangle} from '@fortawesome/free-solid-svg-icons';
import '../../styles/App.css'; import '../../styles/App.css';
class ReportPageComponent extends AuthComponent { class ReportPageComponent extends AuthComponent {
Issue = Issue =
@ -258,54 +257,102 @@ class ReportPageComponent extends AuthComponent {
return x === true; return x === true;
}).length} threats</span>: }).length} threats</span>:
<ul> <ul>
{this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] ? {this.state.report.overview.issues[this.Issue.STOLEN_SSH_KEYS] &&
<li>Stolen SSH keys are used to exploit other machines.</li> : null} <li>Stolen SSH keys are used to exploit other machines.</li>}
{this.state.report.overview.issues[this.Issue.STOLEN_CREDS] ? {this.state.report.overview.issues[this.Issue.STOLEN_CREDS] &&
<li>Stolen credentials are used to exploit other machines.</li> : null} <li>Stolen credentials are used to exploit other machines.</li>}
{this.state.report.overview.issues[this.Issue.ELASTIC] ? {this.state.report.overview.issues[this.Issue.ELASTIC] &&
<li>Elasticsearch servers are vulnerable to <a <li>Elasticsearch servers are vulnerable to
href="https://www.cvedetails.com/cve/cve-2015-1427">CVE-2015-1427</a>. <Button
</li> : null} variant={"link"}
{this.state.report.overview.issues[this.Issue.VSFTPD] ? href="https://www.cvedetails.com/cve/cve-2015-1427"
<li>VSFTPD is vulnerable to <a target={"_blank"}
href="https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor">CVE-2011-2523</a>. className={"security-report-link"}>CVE-2015-1427
</li> : null} </Button>.
{this.state.report.overview.issues[this.Issue.SAMBACRY] ? </li>}
<li>Samba servers are vulnerable to SambaCry (<a {this.state.report.overview.issues[this.Issue.VSFTPD] &&
<li>VSFTPD is vulnerable to
<Button
variant={"link"}
href="https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor"
target={"_blank"}
className={"security-report-link"}>
CVE-2011-2523
</Button>.
</li>}
{this.state.report.overview.issues[this.Issue.SAMBACRY] &&
<li>Samba servers are vulnerable to SambaCry (
<Button
variant={"link"}
href="https://www.samba.org/samba/security/CVE-2017-7494.html" href="https://www.samba.org/samba/security/CVE-2017-7494.html"
>CVE-2017-7494</a>).</li> : null} target={"_blank"}
{this.state.report.overview.issues[this.Issue.SHELLSHOCK] ? className={"security-report-link"}>
<li>Machines are vulnerable to Shellshock (<a CVE-2017-7494
href="https://www.cvedetails.com/cve/CVE-2014-6271">CVE-2014-6271</a>). </Button>).
</li> : null} </li>}
{this.state.report.overview.issues[this.Issue.CONFICKER] ? {this.state.report.overview.issues[this.Issue.SHELLSHOCK] &&
<li>Machines are vulnerable to Conficker (<a <li>Machines are vulnerable to Shellshock (
<Button
variant={"link"}
href="https://www.cvedetails.com/cve/CVE-2014-6271"
target={"_blank"}
className={"security-report-link"}>
CVE-2014-6271
</Button>).
</li>}
{this.state.report.overview.issues[this.Issue.CONFICKER] &&
<li>Machines are vulnerable to Conficker (
<Button
variant={"link"}
href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067" href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-067"
>MS08-067</a>).</li> : null} target={"_blank"}
{this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] ? className={"security-report-link"}>
MS08-067
</Button>).
</li>}
{this.state.report.overview.issues[this.Issue.WEAK_PASSWORD] &&
<li>Machines are accessible using passwords supplied by the user during the Monkeys <li>Machines are accessible using passwords supplied by the user during the Monkeys
configuration.</li> : null} configuration.</li>}
{this.state.report.overview.issues[this.Issue.AZURE] ? {this.state.report.overview.issues[this.Issue.AZURE] &&
<li>Azure machines expose plaintext passwords. (<a <li>Azure machines expose plaintext passwords. (
<Button
variant={"link"}
href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/" href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"
>More info</a>)</li> : null} target={"_blank"}
{this.state.report.overview.issues[this.Issue.STRUTS2] ? className={"security-report-link"}>
<li>Struts2 servers are vulnerable to remote code execution. (<a More info
href="https://cwiki.apache.org/confluence/display/WW/S2-045"> </Button>)
CVE-2017-5638</a>)</li> : null} </li>}
{this.state.report.overview.issues[this.Issue.WEBLOGIC] ? {this.state.report.overview.issues[this.Issue.STRUTS2] &&
<li>Oracle WebLogic servers are susceptible to a remote code execution vulnerability.</li> : null} <li>Struts2 servers are vulnerable to remote code execution. (
{this.state.report.overview.issues[this.Issue.HADOOP] ? <Button
<li>Hadoop/Yarn servers are vulnerable to remote code execution.</li> : null} variant={"link"}
{this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] ? href="https://cwiki.apache.org/confluence/display/WW/S2-045"
target={"_blank"}
className={"security-report-link"}>
CVE-2017-5638
</Button>)
</li>}
{this.state.report.overview.issues[this.Issue.WEBLOGIC] &&
<li>Oracle WebLogic servers are susceptible to a remote code execution vulnerability.</li>}
{this.state.report.overview.issues[this.Issue.HADOOP] &&
<li>Hadoop/Yarn servers are vulnerable to remote code execution.</li>}
{this.state.report.overview.issues[this.Issue.PTH_CRIT_SERVICES_ACCESS] &&
<li>Mimikatz found login credentials of a user who has admin access to a server defined as <li>Mimikatz found login credentials of a user who has admin access to a server defined as
critical.</li> : null} critical.</li>}
{this.state.report.overview.issues[this.Issue.MSSQL] ? {this.state.report.overview.issues[this.Issue.MSSQL] &&
<li>MS-SQL servers are vulnerable to remote code execution via xp_cmdshell command.</li> : null} <li>MS-SQL servers are vulnerable to remote code execution via xp_cmdshell command.</li>}
{this.state.report.overview.issues[this.Issue.DRUPAL] ? {this.state.report.overview.issues[this.Issue.DRUPAL] &&
<li>Drupal servers are susceptible to a remote code execution vulnerability <li>Drupal servers are susceptible to a remote code execution vulnerability
(<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340"> (<Button
CVE-2019-6340</a>).</li> : null} variant={"link"}
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340"
target={"_blank"}
className={"security-report-link"}>
CVE-2019-6340
</Button>).
</li>
}
{this.generateZerologonOverview()} {this.generateZerologonOverview()}
</ul> </ul>
</div> </div>
@ -328,12 +375,15 @@ class ReportPageComponent extends AuthComponent {
The Monkey uncovered the following possible set of issues: The Monkey uncovered the following possible set of issues:
<ul> <ul>
{this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ? {this.state.report.overview.warnings[this.Warning.CROSS_SEGMENT] ?
<li key={this.Warning.CROSS_SEGMENT}>Weak segmentation - Machines from different segments are able to <li key={this.Warning.CROSS_SEGMENT}>Weak segmentation - Machines from different segments are able
to
communicate.</li> : null} communicate.</li> : null}
{this.state.report.overview.warnings[this.Warning.TUNNEL] ? {this.state.report.overview.warnings[this.Warning.TUNNEL] ?
<li key={this.Warning.TUNNEL}>Weak segmentation - Machines were able to communicate over unused ports.</li> : null} <li key={this.Warning.TUNNEL}>Weak segmentation - Machines were able to communicate over unused
ports.</li> : null}
{this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ? {this.state.report.overview.warnings[this.Warning.SHARED_LOCAL_ADMIN] ?
<li key={this.Warning.SHARED_LOCAL_ADMIN}>Shared local administrator account - Different machines have the same account as a local <li key={this.Warning.SHARED_LOCAL_ADMIN}>Shared local administrator account - Different machines
have the same account as a local
administrator.</li> : null} administrator.</li> : null}
{this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ? {this.state.report.overview.warnings[this.Warning.SHARED_PASSWORDS] ?
<li key={this.Warning.SHARED_PASSWORDS}>Multiple users have the same password</li> : null} <li key={this.Warning.SHARED_PASSWORDS}>Multiple users have the same password</li> : null}
@ -487,7 +537,8 @@ class ReportPageComponent extends AuthComponent {
} }
generateInfoBadges(data_array) { generateInfoBadges(data_array) {
return data_array.map(badge_data => <span key={badge_data} className="badge badge-info" style={{margin: '2px'}}>{badge_data}</span>); return data_array.map(badge_data => <span key={badge_data} className="badge badge-info"
style={{margin: '2px'}}>{badge_data}</span>);
} }
generateCrossSegmentIssue(crossSegmentIssue) { generateCrossSegmentIssue(crossSegmentIssue) {
@ -683,16 +734,19 @@ class ReportPageComponent extends AuthComponent {
Update your VSFTPD server to the latest version vsftpd-3.0.3. Update your VSFTPD server to the latest version vsftpd-3.0.3.
<CollapsibleWellComponent> <CollapsibleWellComponent>
The machine <span className="badge badge-primary">{issue.machine}</span> (<span The machine <span className="badge badge-primary">{issue.machine}</span> (<span
className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) has a backdoor running at port <span className="badge badge-info" style={{margin: '2px'}}>{issue.ip_address}</span>) has a backdoor running at
port <span
className="badge badge-danger">6200</span>. className="badge badge-danger">6200</span>.
<br/> <br/>
The attack was made possible because the VSFTPD server was not patched against CVE-2011-2523. The attack was made possible because the VSFTPD server was not patched against CVE-2011-2523.
<br/><br/>In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been <br/><br/>In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been
compromised. compromised.
Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a
command
shell on port 6200. shell on port 6200.
<br/><br/> <br/><br/>
The Monkey executed commands by first logging in with ":)" in the username and then sending commands to the backdoor The Monkey executed commands by first logging in with ":)" in the username and then sending commands to the
backdoor
at port 6200. at port 6200.
<br/><br/>Read more about the security issue and remediation <a <br/><br/>Read more about the security issue and remediation <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523"
@ -807,7 +861,8 @@ class ReportPageComponent extends AuthComponent {
generateSharedLocalAdminsIssue(issue) { generateSharedLocalAdminsIssue(issue) {
return ( return (
<> <>
Make sure the right administrator accounts are managing the right machines, and that there isnt an unintentional local Make sure the right administrator accounts are managing the right machines, and that there isnt an
unintentional local
admin sharing. admin sharing.
<CollapsibleWellComponent> <CollapsibleWellComponent>
Here is a list of machines which the account <span Here is a list of machines which the account <span
@ -924,9 +979,13 @@ class ReportPageComponent extends AuthComponent {
className="badge badge-danger">MSSQL exploit attack</span>. className="badge badge-danger">MSSQL exploit attack</span>.
<br/> <br/>
The attack was made possible because the target machine used an outdated MSSQL server configuration allowing The attack was made possible because the target machine used an outdated MSSQL server configuration allowing
the usage of the xp_cmdshell command. To learn more about how to disable this feature, read <a the usage of the xp_cmdshell command. To learn more about how to disable this feature, read
href="https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017"> <Button
Microsoft's documentation. </a> variant={"link"}
href="https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017"
target={"_blank"}
className={"security-report-link"}>
Microsoft's documentation. </Button>
</CollapsibleWellComponent> </CollapsibleWellComponent>
</> </>
); );